Put Antivirus Protection Where it Belongs—On the ISP

Is there a business case for ISPs to take on security protection for their customers? Security Supersite Editor Larry Seltzer proposes a new business model. And he warns that ISPs and antivirus companies had better get their acts together given recent mov

In the past, Ive written about the advantages of implementing antivirus protection at the ISP level. Heres the short course on advantages of this approach in the consumer market when compared to the current approach of running antivirus software on end-user desktops:
  • The ISP can make sure all its customers are protected from the outside as well as from each other.
  • Its much easier to keep ISPs updated with current antivirus software and virus signatures than it is to separately update many thousands, even millions of customers.
  • It allows ISPs to track the origins of malicious code entering their networks.
  • The approach increases the both the ISPs and antivirus vendors knowledge of outbreak behavior since each ISP can watch and report on its entire network.

In addition, consider that if ISPs worked together to share their network-wide information, everyone would be in a better position to recognize and then deal with attacks.

At the same time, heres an interesting, if scary proposition with this ISP approach: If my ISP recognized that my PCs were sending out malicious attacks, they could route me out of the network, block me off and let me know that Im a problem. Now, Im sure I would be outraged if this happened to me, but right now—dealing in the abstract—I would be willing to put up with this potential consequence, knowing that I would also be protected against anyone else who is spreading digital diseases.

Of course, ISP and desktop antivirus protection arent mutually exclusive, far from it. The most important way to deal with individuals spreading malicious code is to make sure that they are also running desktop antivirus software.

Still, the prospect of losing their consumer desktop business would push antivirus companies, especially successful ones (this basically means Symantec, which dominates the consumer space), to shift to an ISP-centric model.

While the antivirus vendors focus on the ISPs, they can also become partners. Its the relationship with the ISP that matters most here. The ISPs can sell desktop protection to their customers at a discount, while using the network-based protection as a marketing incentive. This may be a tough sell to some customers, but client-side protection is absolutely necessary, especially when kids pass CD-Rs around.

The software sold by the ISP could probably also be keyed to work only with a client of that particular service. Many people wont like this idea, but if it helps to bring the ISPs on board by helping them to retain customers then we should go along with it.

There are a few open questions over whether this would fly with consumers: cost, cost and most importantly, cost. Without a doubt, its important that the overall cost be kept close to the current cost of acquiring and updating antivirus software. But the real question is whether ISPs can charge extra for this service. Few have had the nerve to try.

With all the past resistance, its difficult to see this approach having widespread adoption by ISPs without an extra cost. This protection might create routing complications for ISPs if they need to make different connections for protected clients and unprotected ones. However, if all they are protecting is e-mail, the most prominent attack vector, then this worry is unnecessary as all they need to do is to give different mail server addresses to the different categories of users and enforce authentication even for SMTP.

AOL is important in this regard, even in its current weakened state and after failed efforts to enter the broadband markets. Anything AOL does will set a standard for the competition.

Ironically, because AOL mail is a proprietary client, AOL users are less susceptible to many of the most important viruses, but just as with any other mail client, the user is free to launch infected attachments. (In fact, speaking of irony, only Microsoft Outlook and Outlook Express block potentially infectious attachments. In fact, to clean out the irony department, both Hotmail and Yahoo! Mail for years have scanned all e-mail for viruses.

Instead, AOL let their users and the Internet as a whole down by not incorporating antivirus protection into their service. And since their service relies on a proprietary client program they could have easily incorporated the additional client-side protection.

Remember that AOL isnt the only ISP with a proprietary client. Microsoft is in the same position as AOL to provide antivirus protection to their MSN users, and—pure coincidence Im sure—Microsoft just bought an antivirus product line. Adding integrated antivirus protection as a premium service to MSN would fit right in with recently-announced company plans.

If there were no cost issue there should be no question that ISPs should be providing this service to their customers. Besides, there is no question that it would help to mitigate the effect of attacks in general.

Security Supersite Editor Larry Seltzer has worked in and written about the computer industry since 1983.